CN109120618B

Movatterモバイル変換

Info

Publication number: CN109120618B
Application number: CN201810937762.2A
Authority: CN
Inventors: 余荣威; 强辰谊; 徐来; 王丽娜; 张桐; 周博孝; 王斐
Original assignee: Wuhan Huofenghuang Cloud Computing Services Co ltd; Wuhan University WHU
Current assignee: Wuhan Huofenghuang Cloud Computing Services Co ltd; Wuhan University WHU
Priority date: 2018-08-17
Filing date: 2018-08-17
Publication date: 2021-10-22
Anticipated expiration: 2038-08-17
Also published as: CN109120618A

Abstract

The invention discloses a cloud platform controlled side channel attack detection method based on hardware virtualization; the invention locks the memory of the guest virtual machine by operating the EPT of the extended page table, protects the IDT content of the interrupt descriptor table of the guest from being modified by a malicious Operating System (OS), and performs pattern analysis on a page operation sequence, thereby automatically distinguishing a normal memory request from malicious operation. The method can effectively detect the channel attack of the controlled side, reduces the time cost compared with the existing defense method realized by pure software, and does not need to modify the protected program code.

Description

Cloud platform controlled side channel attack detection method based on hardware virtualization

Technical Field

The invention belongs to the technical field of computer information security, relates to a controlled side channel attack detection method in a cloud computing environment, and particularly relates to a cloud platform controlled side channel attack detection method based on hardware virtualization, which is used for solving the problem of leakage of cloud platform application sensitive information.

Background

Cloud computing security has become an important bottleneck hindering cloud computing application and development, and is a hotspot of current network space security. Application virtualization is used as an extremely wide deployment mode of cloud computing, so that sensitive applications of cloud tenants run in a cloud platform operating system container, however, the operating system is generally considered to be untrusted, and the applications face the risk of sensitive information leakage. If Iago attacks the malicious control of the operating system authority, the return address is called by modifying the system, and then the sensitive data of the process is obtained. In the prior art, studies have been carried out to realize high-level security protection systems such as InkTag and Haven by using a higher-privilege-level Hypervisor and trusted hardware, which is beneficial to improving the leakage of application sensitive information caused by an untrusted OS, however, controlled side channel attack is used as a new attack mode, which can successfully bypass the security protection systems, and an attacker can use information possibly leaked by a controllable Page Fault (PF) exception, so as to further deduce the content of sensitive data.

Currently, there are two types of controlled side channel attack defense: based on a method for modifying the distribution of process memory and a method for redistributing system processing routines. The method based on the process memory distribution modification is realized in a pure software mode, the page content is rearranged through memory copy or encryption and decryption, information leaked by a channel is confused, and huge time overhead is introduced at the same time; another scheme realizes re-distributing system processing routines, after new hardware characteristic support is added, an operating system does not separately process interruption events such as page fault errors and the like, but distributes the interruption events to hardware for further processing, and although an attacker can be successfully blocked from acquiring information, the existing traditional program source codes need to be manually analyzed and re-compiled. Therefore, how to realize the sensitive information security protection of the cloud application on the untrusted cloud platform also becomes a key problem to be solved urgently in the field of current information security.

Disclosure of Invention

In order to solve the problem of how to detect the channel attack of the page fault error side by using a virtualization function and solve the problem of sensitive information leakage of cloud platform application under the condition that an OS is not trusted, the invention provides a cloud platform controlled side channel attack detection method based on hardware virtualization.

The technical scheme adopted by the invention is as follows: 1. a cloud platform controlled side channel attack detection method based on hardware virtualization is characterized by comprising the following steps:

step 1: a virtual Machine monitoring VMM (virtual Machine monitor) utilizes a memory management unit MMU (memory management unit) to perform virtualization expansion on a process page table of a guest virtual Machine to obtain an expanded page table EPT (extended page table);

step 2: determining a guest page table structure in an extended page table EPT;

under the control of a virtual machine monitoring VMM, the processor only participates in address translation when working in a non-root mode, and a Memory Management Unit (MMU) carries out virtualization expansion; the EPT directly supports the mapping from a guest Virtual address GVA (guest Virtual address) to a host Physical address HPA (host Physical address) on hardware, and directly supports twice conversion of the guest Virtual address, the guest Physical address and the host Physical address on hardware;

and step 3: modifying the read-write permission limit of the EPT page table entry, and limiting the modification of the protected process page table, thereby locking the memory;

and 4, step 4: the virtual machine monitoring VMM acquires the complete content of the IDT table by reading the IDT table address in the virtual machine control block VMCS, so that the IDT table of the IDT table is ensured not to be modified, and the virtual machine monitoring VMM keeps the relevant records of all system routine address changes and page table content write operations;

and 5: according to an attack model of controlled channel attack, by distinguishing special modification behaviors of a malicious OS to a system structure, a Virtual Machine Monitor (VMM) judges malicious operation of the OS to a protected process.

The technical challenges solved by the invention are:

1. the method does not focus on intercepting the exception in the VMM layer any more, but starts the EPT function, directly monitors the page table content, and avoids the excessive system overhead caused by the fault exception of the page table trapped in the VMM.

And 2, when the VMM layer acquires information, solving semantic gap existing between the Virtual Machine and the VMM by utilizing Virtual Machine Introspection (VMI).

Compared with the prior art, the invention has the following main advantages:

1. through EPT locking memory and IDT content protection and page sequence pattern analysis, the attack behavior can be detected deterministically.

2. The system is easy to deploy, is completely transparent to the virtual machine, and can be intelligently operated on a Qemu console.

3. The invention can effectively detect channel attack on the # PF side and has lower performance cost.

Drawings

Fig. 1 is a schematic diagram of a kernel-side channel attack detection architecture according to an embodiment of the present invention;

FIG. 2 is a flow chart illustrating an embodiment of a monitoring trace page according to the present invention.

Detailed Description

In order to facilitate the understanding and implementation of the present invention for those of ordinary skill in the art, the present invention is further described in detail with reference to the accompanying drawings and examples, it is to be understood that the embodiments described herein are merely illustrative and explanatory of the present invention and are not restrictive thereof.

The technical problem to be solved by the invention is as follows: under the condition that an OS is not trusted, how to detect the channel attack of the page fault error side by using a virtualization function solves the problem of sensitive information leakage of cloud platform application.

A Controlled Channel Attach (CCA) is a novel Attack manner, and can bypass a mainstream security system to steal sensitive data of cloud tenants, thereby posing a serious threat to security privacy of the cloud. In order to prevent the abuse of a controlled channel by a malicious virtual machine system kernel, existing security protection schemes adopt frequent memory page copying or manual marking and recompiling on a sensitive program, so that great time and manual expenses are generated. Aiming at the problem, the invention locks the memory of the guest virtual machine by operating an Extended Page Table (EPT), protects the content of an Interrupt Descriptor Table (IDT) of the guest from being modified by a malicious Operating System (OS), and performs mode analysis on a Page Operation sequence, thereby automatically distinguishing a normal memory request from malicious Operation. The method can effectively detect the channel attack of the controlled side, reduces the time cost compared with the existing defense method realized by pure software, and does not need to modify the protected program code.

The invention limits the modification of the protected process Page Table by directly modifying the read-write permission limit of the Extended Page Table (EPT) Table entry, thereby locking the memory; a Virtual Machine Monitor (VMM) obtains the complete content of an Interrupt Descriptor Table (IDT) by reading the Table address of the IDT in a Virtual Machine Control block (VMCS), ensures that the IDT cannot be modified, and ensures that a VMM layer can keep the relevant records of all system routine address changes and page Table content write operations; according to an attack model of controlled channel attack, by distinguishing special modification behaviors (such as PTE continuous alternation) of a malicious OS to a system structure, the VMM can judge malicious operation of the OS to a protected process. The method does not need to block the channel information acquisition of the untrusted operating system, and achieves the identification and prevention of the attack behavior.

The general architecture of the cloud platform controlled side channel attack detection scheme disclosed by the invention is shown in fig. 1. The system mainly comprises three parts: the system comprises an IDT interception recording module, a page table modification monitoring module and an event correlation detection analysis module. The method limits the modification of the protected process page table by directly modifying the read-write permission limit of an EPT page table entry (a PT layer table entry of a 4-layer page table), thereby locking a memory; the Virtual Machine Monitor (VMM) obtains the complete content of the IDT table by reading the IDT table address in the Virtual Machine Control block (VMCS), thereby ensuring that the IDT table cannot be modified and ensuring that the VMM layer can reserve all the system routine address change and the relevant records of the page table content write operation; according to an attack model of controlled channel attack, by distinguishing special modification behaviors (such as PTE continuous alternation) of a malicious OS to a system structure, the VMM can judge malicious operation of the OS to a protected process. The method does not need to block the channel information acquisition of the untrusted operating system, and achieves the identification and prevention of the attack behavior.

The invention provides a cloud platform controlled side channel attack detection method based on hardware virtualization, which comprises the following steps:

step 2: determining a guest page table structure in an extended page table EPT;

during an attack, a page fault frequently occurs in the execution of a process in a virtual machine, but after the EPT function is started, the virtual machine monitor VMM cannot intercept the abnormal event, so that the monitoring of # PF behavior through VM-EXIT becomes impossible. Therefore, the present invention adopts a method of directly monitoring the Page Table contents, that is, an attacker can directly clear the specific bits of the Page Table Entry (PTE) through the kernel function, so as to modify the mapping result, and the corresponding Page becomes inaccessible, so that the present invention captures the modification behavior by means of a lower-layer EPT mechanism.

First, the corresponding page of the guest page table in the EPT structure is set to read-only (locked). When an attacker modifies these structures, the extended page table conflicts (EPT virtualization) and the system immediately traps to the virtual machine monitor VMM, referred to as trapping for the first time.

The embodiment increases the screening condition by modifying the extended page table EPT Violation handler visualization handler;

the screening conditions are as follows:

1) exit auxiliary information Exit _ Qualification is WRITE _ MASK, corresponding to page table WRITE operation;

2) if the current GUEST _ CR3 is the target process, filtering useless process information; wherein, the GuEST _ CR3 is used for storing the physical address unit content mapped by the GUEST process, namely the GUEST physical address, as the index base address of the next level GUEST page table;

3) the current GUEST PHYSICAL address GUEST _ PHYSICAL _ ADD-RESS value exists in the page number storage structure;

if the above conditions are satisfied, the extended page table EPT will enter the first trap process.

Secondly, the virtual machine monitor VMM grasps the control right, records the address before being modified and the pointing content thereof, and recovers the writable right (unlocked state) at the position, and the MSR register can be modified to set the monitoring Trap identification MTF (monitor Trap flag) so as to enable the client to enter the single step execution mode.

In this embodiment, the system adds a processing procedure of the Monitor Trap, and the operation includes: 1) reading a target address value; 2) setting the page read-only; 3) recovering the monitoring trap signature MTF; 4) and comparing the changed bits of the two values before and after the change.

Finally, after resuming the guest write operation, executing one instruction triggers the MTF to trap again to the virtual machine monitor VMM, referred to as a second trap. When the second trap is processed, reading new content in the record address, and resetting the EPT as read-only, thereby monitoring the next modification operation.

When EPT is turned on, # PF completes the creation and modification of the guest page tables in the guest. After the virtual machine has established the mapping of GVA to GPA, the guest OS will step through the GPA in the page table, if the GPA does not have mapping information in the EPT, it will trap in the virtual machine monitor VMM and trigger EPT virtualization to fill the EPT table. Wherein, # PF is a Page Fault;

TABLE 1 EPT Violation trigger conditions

In order to capture the operation of writing the page table, the 6 th bit of the EPT Pointer and the 1 st bit of the EPT Entry are cleared in the preparation stage according to the requirement of the table 1, and the target page is ensured to be present in the memory. Since the attacker must determine the address space when performing the attack, the mapping information of the guest page table must be established and stored in memory when the page number storage structure is established.

the method for ensuring the IDT table of the interrupt descriptor table not to be modified comprises the following sub-steps:

step 4.1: map file obtains the address of IDT table of interrupt descriptor table, and do _ page _ fault () address in the file is used as the basis of # PF processing routine;

map is the last generated file, containing all executable contexts, the operation addresses and the loading addresses of the data segments; the do _ page _ fault () is an entry for processing the page fault exception, and the do _ page _ fault () address is an entry address for processing the page fault exception; # PF is a Page Fault;

step 4.2: in the virtual machine monitoring VMM, a system reads an IDTR _ BASE field value in a virtual machine control structure VMCS as a gate descriptor pointer, namely, IDTR _ BASE; this pointer is used to calculate the specific # PF and other interrupt handling routine addresses.

Once the value of idtr _ base or the address pf _ addr of the processing routine changes, the virtual machine monitoring VMM can immediately record and serve as an important index of the integrity of the system; if the address changes twice on a standard basis, the associated routine or IDT proves to be no longer secure.

And 5: according to an attack model of controlled channel attack, by distinguishing special modification behaviors of a malicious OS to a system structure (including all operations causing PTE continuous alternation), the virtual machine monitoring VMM judges out the malicious operations of the OS to a protected process.

The method for comparing and analyzing the abnormity of the specific time period by adopting an event correlation method comprises the following specific steps:

step 5.1: extracting metadata of the collected files according to a defined event format, cleaning and standardizing the files to form event metadata, and enabling the characteristics of the side channels to be highlighted;

step 5.2: merging events, and merging events meeting certain conditions into an event stream from a large number of events;

step 5.3: event main body behaviors are extracted, interference of irrelevant events is eliminated, and the processing capacity of the system is improved;

wherein, excluding the irrelevant event, the specific implementation comprises the following substeps:

step 5.3.1: reading the change of PTE value of record, filtering the record which is not qualified, including the difference of gpa, no change of page table content or the changed bit not only including PRESENT and RESERVED bit;

step 5.3.2: and storing the filtered record reconstruction structure into an output file, wherein the structure is < gpa, index, action >, and the action represents a set or clear behavior.

Step 5.4: and determining the characteristics of side channel attack according to the events so as to determine a threat point and achieve the purpose of detection.

The method for determining the threat point comprises the following specific steps of:

step 5.4.1: reading the records excluding the irrelevant events in the step 5.3, and carrying out joint analysis on each record and the latest 10 records;

step 5.4.2, judging whether actions of the same gpa appear alternately or not, and if so, setting the gpa as suspicious;

step 5.4.3: and if the number of the final suspicious addresses is not less than 3, determining to identify the problem of the malicious modified page, and detecting the attack.

The invention realizes the monitoring of the content modification of the target page through the EPT + MTF, and the monitored content is a client page table. Since monitoring the page table involves only write operations to the page contents, there is no impact on those system calls or arithmetic operations. Analysis shows that the data leakage caused by the channel attack of the controlled side is characterized by the following: 1) actively triggered interrupts; 2) a modified process page table; 3) and a hooked page fault handling routine. In this regard, the change information is based on the modified physical page contents, IDT tables, and associated routine address intercepted in the VMM. The general architecture of the overall detection scheme of the present invention is shown in fig. 1. The system adds three parts: IDT interception records, page table modification monitoring and association analysis.

(1) Monitoring a page table;

the present invention adds two new commands in the Qemu system, respectively "start _ monitor pid" and "stop _ monitor". Where the pid needs to be further converted into information that is accessible to the KVM. For this purpose, the system acquires the task _ structure of the target process through a unified interface by using virsh + libvmi, and reads the fields of name, pid and pgd in the structure.

In KVM, the system correspondingly adds two new I/O processing routines (KVM _ START _ MONITOR and KVM _ STOP _ MONITOR) to switch the whole process. Once the KVM receives the open command, it will traverse the guest page tables to create the hash chain storage structure and set the relevant bits for EPTP and EPTE as described above. The memory structure is a custom structure (called mmu _ guest _ page _ hash) that contains the guest page frame number, link pointer, and page table hierarchy number, each structure representing a page table.

The EPT visualization handler typically needs to be modified to increase the conditions for screening. 1) Exit _ Qualification is a WRITE _ MASK, and corresponds to a page table WRITE operation. 2) The current GUEST _ CR3 is the target process and may filter out unwanted process information. 3) The current GUEST _ PHYSICAL _ ADD-RESS value exists in the page number storage structure described above. If the conditions are satisfied, the EPT will handle the access restriction according to the method of the last time it entered the first trapping process. In addition, the system requires a process of adding Monitor Trap (a process step of second trapping). Its operation mainly includes 1) reading the target address value; 2) setting the page read-only; 3) recovering the MTF mark; 4) and comparing the changed bits of the two values before and after the change. Since the analysis module is not real-time, the present embodiment requires further analysis in the following sections.

(2) Monitoring an Interrupt Descriptor Table (IDT);

since the guest OS is untrusted, the guest IDT table contents may also be overwritten by the attacker. The present embodiment cannot determine the integrity of the IDT or whether the OS is hooked at the virtual kernel layer. Thus, the prototype system also monitors integrity in the VMM as a necessary condition to detect attacks.

Attackers commonly employ a way of loading Kernel Modules (Loadable Kernel Modules) to hook system routines. To determine the hooked function, the VMM records the address of the critical structure, such as the IDT table and # PF handler. Since the focus of this embodiment is page table modification, and it occurs significantly more frequently than the address change of the critical structure. Therefore, the present embodiment only needs to monitor in each EPT visualization at the same time.

The basic detection steps are as follows: first, in this embodiment, an address of an IDT table is obtained by a system.map file, and a do _ page _ fault () address in the file is used as a basis for a # PF processing routine. Then, in the VMM, the system reads the IDTR _ BASE field value in the VMCS as a gate descriptor pointer, which is referred to as IDTR _ BASE in this embodiment. This pointer can be used to calculate the specific # PF and other interrupt handling routine addresses. Specifically, in this embodiment, the value of the 14 th entry after the pointer is obtained, and the value is the descriptor of the page fault error (pf _ sel), and the address (pf _ addr) of the processing routine may be further calculated as:

pf_addr＝((u64)pf_sel.offset_high<<32)|(pf_sel.offset_middle<<16)|(pf_sel.offset_low)

once the value of idtr _ base or pf _ addr changes, the VMM will immediately record and serve as an important indicator of system integrity. If the address changes twice on a standard basis, the associated routine or IDT can prove to be no longer secure.

(3) Correlation detection analysis;

the correlation detection analysis adopts an event correlation method to carry out comparative analysis on the abnormity of a specific time period, namely firstly, metadata extraction is carried out on collected files according to a defined event format, and cleaning and standardization are carried out to form event metadata so as to make the characteristics of side channels prominent; secondly, merging events meeting certain conditions into an event stream, extracting event main body behaviors and eliminating interference of irrelevant events; and finally, determining the characteristics of side channel attack according to the events so as to determine a threat point and achieve the purpose of detection.

After the log is recorded, the log needs to be processed and the attack characteristics need to be analyzed. The entire association detection analysis process can be divided into two phases:

the first stage is as follows: the log file is filtered. Firstly, the system filters useless modification, if the Guest Physical Addresses (GPAs) of two adjacent items are equal and only the bit bits which can trigger # PF are different, the related formatting item can be formed; otherwise, the information is noise information and can be ignored. Next, using the uniformly formatted structure < gpa, index, action >, the timing of the occurrence of the index and the behavior (set or clear) of the target is determined.

And a second stage: a sequence of tracking pages is identified. During implementation of the # PF side channel attack, the length of each tracking page subset is typically 2 or 3, taking 10 consecutive entries each time as a comparison interval. Since pages in the trace sequence are adjacent to each other, their PTEs will change in a particular bit upon access. Thus, if there is continuous alternate clear and set behavior, the GPA is said to be suspect and the total number of suspicions is increased, and when the total is not less than 3, it can be determined that a trace sequence exists in the virtual machine.

Fig. 2 is one possible execution flow. The Present bit would be modified in pairs for tracking the corresponding PTE of the adjacent page in the subset of pages. If addresses 0x401000 and 0x402000 are important page addresses, when accessing 0x402000, the PTE bit0 corresponding to address 0x402000 in the page table is set, and the Present bit corresponding to address 0x402000 is cleared immediately, and when accessing 0x402000 again, the attack repeats to wait for the next modification. As can be seen from the record, at page address 0x1010 of the PTE corresponding to virtual address 0x402000, the PTE variation is 0x4024- >0x4025- >0x 4024. In this way, the present embodiment can infer that the operation behavior of the PTE by the attacker changes from setting to clearing.

It should be understood that parts of the specification not set forth in detail are well within the prior art.

It should be understood that the above description of the preferred embodiments is given for clarity and not for any purpose of limitation, and that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims

1. A cloud platform controlled side channel attack detection method based on hardware virtualization is characterized by comprising the following steps:

step 1: the virtual machine monitoring VMM utilizes a memory management unit MMU to perform virtualization expansion on a process page table of a guest virtual machine to obtain an expanded page table EPT;

step 2: determining a guest page table structure in an extended page table EPT;

under the control of a virtual machine monitoring VMM, the processor only participates in address translation when working in a non-root mode, and a Memory Management Unit (MMU) carries out virtualization expansion; EPT directly supports the mapping from the virtual address GVA of the client machine to the physical address HPA of the host machine on hardware, and directly supports twice conversion of the virtual address of the client machine, the physical address of the client machine and the physical address of the host machine on hardware;

the specific implementation comprises the following substeps:

step 3.1: setting pages of a PT layer of a guest page table in an extended page table EPT in an EPT page table mapping as read-only, and when an attacker modifies the page table structures, the system can immediately trap into a virtual machine monitoring VMM (virtual machine monitor) because of extended page table conflict, which is called as first trapping;

step 3.2: the virtual machine monitors that the VMM grasps the control right, records the address before being modified and the pointing content thereof and recovers the writable right at the position; the client enters a single step mode by modifying the MSR register to set the monitoring trap flag MTF;

step 3.3: after the recovery client finishes the write operation, executing an instruction can trigger the monitoring trap mark MTF to trap into the virtual machine monitoring VMM again, which is called as secondary trapping; when the second trap is processed, reading new content in the record address, and resetting the EPT of the extended page table as read-only to monitor the next modification operation;

wherein the IDT table of the interrupt descriptor table is ensured not to be modified, and the specific implementation comprises the following sub-steps:

step 4.2: in the virtual machine monitoring VMM, a system reads an IDTR _ BASE field value in a virtual machine control structure VMCS as a gate descriptor pointer, namely, IDTR _ BASE; this pointer is used to calculate the specific # PF and other interrupt handling routine addresses;

once the value of idtr _ base or the address pf _ addr of the processing routine changes, the virtual machine monitoring VMM can immediately record and serve as an important index of the integrity of the system; if the address changes twice on a standard basis, the associated routine or IDT proves to be no longer secure;

and 5: according to an attack model of controlled channel attack, by distinguishing special modification behaviors of a malicious OS to a system structure, a Virtual Machine Monitor (VMM) judges malicious operation of the OS to a protected process;

the method specifically comprises the following substeps of adopting an event correlation method to compare and analyze the abnormity of a specific time period:

2. The method for detecting the channel attack on the controlled side of the cloud platform based on the hardware virtualization according to claim 1, wherein: in step 3.1, modifying the extended page table EPT Violation handler to increase the screening condition;

the screening conditions are as follows:

3. The method for detecting the channel attack on the controlled side of the cloud platform based on the hardware virtualization according to claim 1, wherein: in step 3.2, the system adds a process of monitoring Trap Monitor Trap, and the operation includes: 1) reading a target address value; 2) setting the page read-only; 3) recovering the monitoring trap signature MTF; 4) and comparing the changed bits of the two values before and after the change.

4. The method for detecting the channel attack on the controlled side of the cloud platform based on the hardware virtualization according to claim 1, wherein: the special modification behavior in step 5 includes all operations that result in a continuous alternation of PTEs.

5. The method for detecting the channel attack on the controlled side of the cloud platform based on the hardware virtualization as claimed in claim 1, wherein the step 5.3 of excluding the irrelevant event includes the following steps:

6. The method for detecting channel attack on the controlled side of the cloud platform based on hardware virtualization according to claim 1, wherein the step 5.4 of determining the threat point specifically comprises the following substeps: